Even though states are enacting privacy and data laws across the country, the U.S. doesn’t have a federal privacy law. Yet, this lack of federal legislation doesn’t mean that the U.S. isn’t protecting people’s privacy at federal level — the Federal Trade Commission (FTC) is filling the gap.
The FTC has broad enforcement authority under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The agency has brought 20 different cases related to privacy in the last two years. The latest was on March 15, when the FTC reached $500,000 settlement with CafePress over allegations that the company had failed to secure consumers’ sensitive personal data and covered up a major breach.
Some of the FTC’s allegations are as specific as if they had grounds in a detailed privacy regulation. In particular, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network.
The argument resembled the provisions contained in privacy laws, with the FTC claiming the defendant stored Social Security numbers and password reset answers in clear, readable text and retained the data longer than necessary. The agency also assumed the defendant had a general duty to safeguard its consumers’ data.
In fact, the FTC stated the company failed to apply readily-available protections against well-known threats and adequately respond to security incidents. In the agency’s words, “[a]s a result of its shoddy security practices, CafePress’ network was breached multiple times.”
However, the CafePress case went far beyond general duties of care and security failures. The company failed to investigate the source of other cyber-attacks and misled users by using their email addresses for marketing, despite having promised the company would only use their consumers emails to fulfill orders they had placed.
The FTC concluded by providing some guidance on how businesses should act to avoid enforcement actions.
In another recent case this year, the FTC also showed how far its enforcement powers can go. On March 4, the FTC ordered WW International and Kurbo to destroy all personal information collected from children under 13, as well as any algorithm derived from the data and pay a $1.5 million penalty.
According to the case, the companies collected information and personal data from children using a signup process in their app without requesting authorization from their parents, what is not allowed under the FTC’s Childrens’ Online Privacy Protection Act Rule (COPPA rule). The remedy imposed by the FTC — to order the companies to destroy the algorithm — is a new tool in the FTC’s enforcement toolbox and is a new type of sanction that a privacy law could contemplate.
Read more: SEC Joins FTC in Voicing Concerns Over AI as Risk of Regulation Looms
The FTC’s efforts to rule by enforcement in the privacy space resembles the efforts from another agency, the Securities and Exchange Commission (SEC), in the crypto space. In both cases, regulators are using existing legislation to regulate how companies operate in new markets like crypto assets or new practices like data breaches and privacy concerns.
While this approach of regulation by enforcement may work in the short-term, it may not be sufficient in the long-term. This may be one of the reasons why lawmakers are taking the first steps to legislate these areas at the federal level.
In the privacy space, Senator Richard Blumenthal introduced a new bill in February — the Kids Online Safety Act — that seeks to protect children’s privacy and data. In the crypto domain, several bills have been introduced in the House, and President Joe Biden signed an executive order in March that aims at gathering information from different federal agencies and may trigger new regulations.
See also: Crypto Businesses Embrace Executive Order as Invitation To Talk
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More